I need to rewrite the client authentication scheme in requests going through an Apache 2.4 reverse proxy. Specifically, I want to ignore the provided username and password, and force the same username + password for all requests. Is that doable ?
Asked
Active
Viewed 2,372 times
0
-
1This is a *very* broken design. Why do you think you need to do this? – EEAA Aug 19 '16 at 17:22
-
Basically clients will access non-sensitive information on an untrusted server with credentials which need to be kept safe. – Nicolas Melay Aug 19 '16 at 17:28
1 Answers
1
If you're using basic authentication: yes, as that depends on a request header included in every request. https://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers
Note: If you need to specify custom request headers to be added to the forwarded request, use the
RequestHeaderdirective.
RequestHeaderThis directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified. ...
And then in your httpd.conf:
RequestHeader set Authorization "Basic <base64-encoded login+password>"
HBruijn
- 77,029
- 24
- 135
- 201
-
1Yes, that did the trick ! Added the following line in the VirtualHost definition: RequestHeader set Authorization "Basic
" – Nicolas Melay Aug 23 '16 at 14:11